ASA pair configuration for Link Redundancy

ivanlaszik · ‎09-12-2020

Hello,

In one of my datacenters the internet uplink is provided by 2 physical cables which have the following redundancy set up:

when the link on the end of cable 1 is gone, the IP (provided by the DC) will be routed via the 2nd cable. When the link on the 1st cable returns the IP will be automatically moved back to cable 1 regardless what happenes to cable 2 or the device connected to it.

I have two ASAs configured in active/standby failover. Cable 1 goes into ASA 1 and cable 2 into ASA 2. ASA 1 is primary active.

The problem is that if ASA 1 has some software problem OR if I make it standby (mostly for update purpose), the port on which cable 1 is connected to still has link, thus the DCs redundancy will not switch to cable 2, thus I am offline. With this scenario I cannot do a propper update of the ASA firmware because if I switch the primary to standby I lose connection. This is a far away site from me, thus I cannot go on site and interveen. The DC does not offer any other mechanism, this has been discussed many times.

Also if I simply reboot ASA 1, ASA 2 becomes active, ASA 1 returns as Standby, and again I am offline.

What is the best way to handle this type of uplink redundancy with an ASA pair without extra hardware?

How would I reboot ASA 1 so that it returns as active, if I would like to do updates? A short downtime would not be a problem.

Thanks,

Ivan.

PS: not a networking/ASA expert, so please bear with me.

marce1000 · ‎09-12-2020

- Well I would say that the redundancy setup between the ASA and the internet endpoints (cables) is collisional , the best solution is to have an ethernet-channel from the ASA-pair to the internet layering or access infrastructure, where both links from the ASA can be handled on dual manner on an internet-router (e.g.).

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Richard Burts · ‎09-12-2020

Ivan

There are several points in your post that we can address.

- It might help our understanding of the issues if you could provide some clarification of the topology. @marce1000 suggest a topology where the ASAs connect to a switch that then provides outbound connectivity. It is not clear what your ASAs are connected to, a switch? or something else?

- It also might help if you could provide information about the addressing. Active/standby assumes that both ASAs have IP addresses in the same subnet and that the ASAs have visibility to each other on those addresses. Is this the case with your ASAs?

- So what does cable 1 connect to and what is its address? And what does cable 2 connect to and what is its address?

- Sometimes there are issues in accessing the ASA that is in standby mode. I believe that much of this is due to the fact that in active/standby the active ASA has the dynamic routing table with all of the routes but the standby ASA does not have the active routing table.

- It is in the design of active/standby that if you reboot ASA1 (the active ASA) that when it comes back on line it will function as standby. There are several reasons why this is a good thing. I do not know of a way to have ASA1 automatically become the active ASA. But when ASA1 is again on line you can enter a command on ASA2 to fail back so that ASA1 is again the active ASA.

HTH

Rick

ivanlaszik · ‎09-12-2020

Hi Rick,

In front of the ASAs is, from what the DC told me, a router, or rather 2. Each of their uplinks go to separate routers, which then provide the link failover. I have not much information about further equipment as this is the datacenters infra, i just have a rack there with colocation service and two cables. The rest is my stuff. The IP I have from them is a public internet routed IP, 94.186.x.x, which is directly configured on one ASA iface. I have a range of 64 IPs from them and a gateway. So when cable 1 has a link at either side, this is where the IP range is routed. If cable 1 looses link, the IP range is routed on the 2nd cable. The failover link between the ASAs is a directly connected cable. No other equipment inbetween.

I think the solution to my update problem would be to assign the standby ASA a second public IP from the range I have, on the WAN iface. Then, when they switch roles, I could reach the primary standby with the 2nd IP and switch the roles back.

However, this does not solve my redundancy problem. Because as soon as the primary becomes standby, for whatever reason, all the services I am running there would not be reachable anymore. Just my manual intervention would fix it.

I need also a solution to handle this uplink redundancy. But I think without extra HW between the ASAs and the DCs cables no chance, right?

Regards,

Ivan.

Richard Burts · ‎09-13-2020

Ivan

Thanks for the additional information. I am not understanding the topology of 2 ASA connected to 2 routers. I understand what 2 ASA configured as active/standby do in case of a failover. But I am not clear how that works with connection to 2 routers. Perhaps we would understand it better if you give us the IP addressing and mask of both ASA. If they are public IP then you can change the first octet to obscure what your addresses really are (if public IP is class A then first octet is 10, if public IP is class B then first octet is 172, if public IP is class C then first octet is 192). That way you addressing is protected and we have a better understanding of the environment.

If you would post the output of the arp table on both ASA it might give us insight into the addressing of the connected routers.

HTH

Rick

ivanlaszik · ‎09-14-2020

Hi Rick,

The public IP that is configured on my active WAN iface is ##.186.234.131 with mask 255.255.255.192. GW is 234.129.

The standby WAN iface has no IP configured yet.

At some point the datacenter told me the following: the two cables are connected to two routers in an active/standby configuration using Virtual Router Redundancy Protocol.
They are monitoring iface availability. As long as cable 1 has link , it serves the public IP. If link is gone, the 2nd router serves the public IP.

Unfortunatly when ASA1 becomes standby the link on the port is still there, so the redundancy of the datacenter does not failover, leaving me offline.

The current ARP table on my ASAs looks like this:

Primary Active:
CB-STU-ASA# show arp
WAN_1 ##.186.234.130 d007.ca4a.bbc1 0
WAN_1 ##.186.234.129 0000.5e00.0102 1682 
STU_LAN_1 172.26.220.8 506b.8ded.cf3e 282
FAILOVER 1.1.1.2 b08b.cf6e.e19f 6972
Secondary Standby:
CB-STU-ASA# show arp
WAN_1 ##.186.234.130 d007.ca4a.bbc1 0
WAN_1 ##.186.234.129 0000.5e00.0102 1766
management 172.26.1.3 54e1.ada7.6bc1 4853
STU_LAN_1 172.26.220.8 506b.8ded.cf3e 1

I removed most of the entries which are inside my LAN. Don't think you need it.

Even the datacenter told me that with my FW configuration, to reach my desired failover mechanism, an extra switch would be needed between my ASAs and their cables. However, I still wanted to hear from ASA experts if there is, maybe, a way to get it done without extra HW. I think the only way is to assign the standby ASA WAN iface a IP address, then when the primary becomes standby, quickly login and make it active again.

The datacenter will not change their redundancy mechanism for us. We already asked.

All the best,
Ivan.

Richard Burts · ‎09-14-2020

Ivan

Thanks for the additional information. I have not done an ASA communicating to Virtual Router Redundancy Protocol. So this is an interesting environment to think about. I believe that a switch connecting both ASAs and the 2 routers will help it to work, and frankly I am not sure that it can work well without the switch. I also believe that configuring an IP for the standby will be beneficial. If there is not a standby IP address then I can understand better how ASA1 gets isolated when there is a failover event and ASA2 becomes the active ASA.

HTH

Rick

ivanlaszik · ‎09-14-2020

Hi Rick,

I configured a public standby IP and the update routine worked, ofcourse the services behind the ASA were unavailable, but at least I could switch the primary back to active.

The problem is, however, that as soon as I configure the standby IP, the secondary standby ASA is marked as failed, because the cable on the ASA2 WAN iface has no link, thus ASA marks it as failed. So probably the failover mechanism is not working as expected. If I stopped the monitoring on that iface then it was marked again as standby ready. But if it is not monitored and ASA1 or the link on ASA1 goes down then it will not failover to ASA2, as far as I read.

I will however install a switch infront of the ASAs.

Thanks,

Ivan

Richard Burts · ‎09-15-2020

Ivan

Thanks for the update. I believe that installing a switch to be between your ASAs and the provider will solve the issue on the ASA side. With a switch connected then both ASA WAN interfaces will have link, and they will be able to communicate with each other. VRRP is still an unknown in this situation. I am not clear what effect installing a switch will have on how they provide failover processing. But since it looks like they did suggest installing a switch that it will be good on their side also.

HTH

Rick

paul driver · ‎09-12-2020

Hello

My u understanding is with ASA HA failover it’s recommended that the two physical fw are indeed interconnected vai a l2 switch thus not directly connected

Also check to make sure all the L3interfaces running on the primary asa have a standby address also

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ivanlaszik · ‎09-12-2020

Hi Paul,

Good idea with the IP on the standby ASA iface. Will try that.

Thanks,

Ivan.

paul driver · ‎09-13-2020

Hello

Note: any configuration changes should be appended on the primary asa

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ivanlaszik · ‎09-14-2020

Hi Paul,

Will I be able to reach the device by the public standby IP?

Asking this because the internal standby IP I can reach only from its own subnet, not from other subnets I have internally. The active internal IP I can reach from any internal subnet, however. Both active and standby IPs are in the same subnet.

All the best,

Ivan.

paul driver · ‎09-15-2020

Hello

My understanding the gateway address for each interface will always be the primary address even in the event of failover

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎10-12-2020

Since ASA failover then Inside and Outside need L2 connection between both ASA.